- Harvey AI. Domain-specific AI platform for legal and professional services.
- Company: Harvey AI Inc. (Independent). Founded: 2022. HQ: San Francisco, California.
- IXSOR vendor tier: Enterprise.
Harvey AI.
Harvey is a generative AI platform built specifically for law firms and professional services. It is positioned as an enterprise-tier alternative to consumer ChatGPT use within a firm, with a contractually-committed no-training-on-customer-data posture and an enterprise security stack. The platform is widely adopted at the AmLaw 100 level and has secured large rounds of venture capital. Use cases include drafting, research, contract review, due diligence, and matter-specific analysis.
The corpus. #
Harvey does not publicly enumerate its underlying corpus. The platform integrates with foundation models (the specific providers are not enumerated on the security page) and supports firm-uploaded documents as matter context. Customers may opt into bespoke model training, creating firm-exclusive models trained on the firm's own documents.
Training-data policy. #
Harvey contractually commits, through its Platform Agreement, that "inputs, outputs, or uploaded documents" are not used to train underlying models. This commitment is the platform default. Bespoke training, where the firm explicitly opts in to a firm-exclusive model trained on its own documents, is the named exception.
Retention. #
Retention windows are customer-configurable rather than fixed by default. Harvey states customers can "delete data anytime" and "set retention policies," and the platform supports data lifecycle management as a feature.
Certifications and attestations. #
SOC 2 Type II (annual), ISO 27001 (annual), ISO 27701 (privacy management), and ISO 42001 (AI management). Independent auditors include Schellman, NCC Group, and Bishop Fox. GDPR and CCPA compliance posture documented. A formal BAA is not specifically advertised on the security page, though a Security Addendum is referenced.
Enterprise controls. #
SAML SSO, audit logs, IP allow-listing, role-based access controls, logical workspace separation between matters. Harvey passes on contractual security commitments to subprocessors and external model providers (the public-page description; the sub-processor list itself is not enumerated on the page).
IXSOR tier rating: Enterprise. #
Enterprise rating is supported by the SOC 2 Type II + ISO 27001/27701/42001 stack, the contractual no-training commitment, and the named-auditor attestation chain. The two open questions for any firm doing diligence on Harvey before purchase are (a) the sub-processor list, which is not public, and (b) the BAA terms, which are not advertised on the page. Both are normal vendor-diligence questions to resolve before the firm signs.
Recommended uses. #
- Drafting and analysis where the matter scope is well-defined and contained.
- Contract review and due diligence where Harvey's workspace isolation is the privacy mechanism.
- Use after the firm's vendor-diligence process has confirmed the sub-processor list and BAA terms in writing.
Diligence cautions. #
- Sub-processor list is not publicly enumerated; obtain in writing from Harvey before signing.
- BAA terms not advertised on the security page; if the matter involves PHI, the BAA must be a deal condition.
- The contractual commitments matter for privilege; the firm should preserve a copy of the Platform Agreement at the date of use.
Primary sources. #
Vendor profile compiled from publicly-available primary documents at the date noted. Vendor terms change frequently; verify current terms with the vendor before relying on this summary. Not legal advice. Dan Hughes is not an attorney; IXSOR does not provide legal services.